[Oberon] Re: 2: Have we got email send authenticate ability ?

Roger Keller kellerog at student.ethz.ch
Tue Feb 14 22:38:37 CET 2006


> IIRC, at least current versions of Lookout and OE both do plain, 
> SSL and/or TLS, and with plain or CRAM-MD5, and probably have 
> done for some years now. Not always 'correctly' in all respects.

the client of course has to use an authentication method offered by the
server. if the server only offers plain text auth, the client does not have
any choice. and basically if the server was to offer tls secured
communication, the authentication would then (usually) happen over the
secure channel...

> TLS, OTOH, does reveal some information 'en clair' during the 
> EHLO/HELO handshake before STARTTLS encryption is is set up.  IF 
> it is even selected or 'fallback' denied so it is set up at all...

usually the only two clear text commands when using tls are the EHLO and the
STARTTLS commands ... so there's usually no information one would not give
away anyway ...

--roger



More information about the Oberon mailing list